13 Play Store apps infected with Brain Test malware

Thirteen more malicious apps were struck from Google's Play Store at the end of 2015 after having been discovered to be stricken with the Brain Test malware.

Named for an app discovered on the Play Store by Check Point, the Brain Test malware gains root privilege to Android devices and downloads application packages to the infected phone, allowing the adversary a free ride with the unlucky victim's device.

Check Point's reports explains, “Once this malware was detected on a device, Mobile Threat Prevention adjusted security policies on the Mobile Device Management solution managing the affected devices automatically, thereby blocking enterprise access from the infected devices.” A simple factory reset on the infected devices will just not do. More than simply overstaying its welcome, Brain Test also downloads other unwanted apps to the infected phone and establishes a rootkit, allowing it to download and execute code on that infected device and giving the infector free reign over it.

Lookout, another cyber-security company, found several apps in October 2015 that looked suspiciously similar to Brain Test. Although researchers couldn't connect these apps initially, one particular app called Cake Tower received an update in late December. This update gave Cake Tower the same kind of tools, like an updated C2 server, that Brain Test had, which according to Lookout “was the smoking gun we needed to tie together the apps”.

Thirteen such apps were eventually found all showing the indelible fingerprint of Brain Test's authors, all with tantalising names like Jump Planet or Crazy Jelly. The notably perplexing thing about these 13 instances is the overwhelming high ratings and glowing reviews which they came with. This too was all down to the malware. Brain Test doesn't just infect but, like any successful disease, perpetuates its own infection.

And it does this in a number of ways. Firstly, it can download other apps that the dastardly authors have rigged with the Brain Test malware, which in and of itself boosts its rating. But perhaps even more interesting is that it makes infected devices rate the culprit apps and leave reviews. While some apps are just fun, thus warranting the high marks on the Play Store, the Brain Test malware allows infected devices to rate apps and post to the Play Store too. Lookout reported these to Google, which promptly removed them. But how did it even get to that point and why didn't the Play Store's defense systems nip this malware in the bud before it could go around infecting Play Store users?

This particular family of malware seems pretty good at avoiding Google's anti-malware systems, like Google Bouncer. Check Point's analysis of Brain Test showed that the malware could bypass them by detecting if the malware is being run from a domain with those security measures. If present, the malware would not carry out its malicious functions. The authors also used dynamic code loading, timebombs and reverse engineering to prevent reverse engineering the malware.

SCMagazineUK.com spoke to a Check Point spokesperson who said plainly: “This is illegal. The application downloads and installs additional applications without user consent and rates them, checks if the device is rooted and if so, it installs components into the system directory to achieve persistency on the device even after factory reset.”

There are several ways it could have gotten round the Play Store's detection. For example, the authors of the malware may have changed the command and control server and in fact the C&C server only became malicious after a software update. Check Point added, “The authors of the malware removed the exploit pack (that was part of the original brain test app) that is designed to root the device for malicious purposes.”

Lookout researchers noted that over the couple of months between initial discovery and Google taking the Brain Test apps out of the store, “The malware authors used different names, games, and techniques to see what apps they could publish in Play while flying under the radar.” The authors also used, according to Check Point, “off-the-shelf obfuscation” to bring the Brain Test malware back into the Play Store.

A Lookout spokesperson told that it would be hard for Google to detect these infections: "The malware authors used a combination of techniques, including detecting whether or not it was being run in an emulated environment and waiting for instructions from the command-and-control server before executing malicious functionality. Plus, much of the malicious code was stored in an encrypted asset, which likely aided its evasion."

The goal for the authors, said Lookout, is to sell guarantees on application installation to developers, mostly in China. "In order to facilitate the installs, they rely on compromising a large number of devices and then pushing the installs to those devices." This tactic isn't new, and there have been multiple sightings of this kind of malware on Android devices. That said, Lookout added, "I'd imagine that the actors behind this scheme have been monetarily successful – this malware made it onto a mainstream app store, and in some cases, obtained over 500,000 downloads and an average 4.5 rating before removal."

This is not the first time Google has had to boot infected apps off the Play Store, or that infected apps have been found on the store. Several times last year, popular apps from Chinese authors were found to be infected with malware or to be able to exploit Android vulnerabilities. One scan of the play store found 30,000 apps to have malicious code.